Web services running on OpenStack controllers, especially the ones exposed to the Internet, may be vulnerable to various types of web-based attacks. One of the most dangerous attack vectors are injection attacks, rated as the number one in the OWASP top ten. Exploiting this type of vulnerabilities may lead to data loss or corruption (tampering), lack of accountability repudiation), DoS, or, in some scenarios, complete host takeover (EoP) leading to cluster compromise.
Whenever possible, use Web Application Firewall (WAF) to add additional layer of security to prevent web attacks. ModSecurity is an open source WAF implementation for the Apache web server able to protect from the multiple type of attacks including SQL injections.
Follow the steps below to install ModSecurity 2.9.1 with the OWASP core ruleset (https://github.com/SpiderLabs/owasp-modsecurity-crs) on Ubuntu 14.04.
The default installation will enforce base rule protection on all local OpenStack services: Keystone, Horizon, Zabbix, and RadosGW, if present.
Install the required packages:
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install --yes libyajl-dev libxml2
libxml2-dev liblua5.1 apache2-prefork-dev git
Enable unique_id
for Apache. It adds the magic token for each request
which is guaranteed to be unique. The environment variable UNIQUE_ID
is
set to the identifier for each request.
sudo a2enmod unique_id
sudo service apache2 restart
Download ModSecurity and compile it with JSON support, which is required for Keystone protection:
cd ~
wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
tar xvzf modsecurity-2.9.1.tar.gz
cd modsecurity-2.9.1/
./configure --with-yajl="/usr/lib/x86_64-linux-gnu /usr/include/yajl"
sudo make
sudo make install
Create the module configuration files:
sudo touch /etc/apache2/mods-available/security2.conf
echo -e "<IfModule security2_module>\n\tSecDataDir
/var/cache/modsecurity\n\tIncludeOptional/etc/modsecurity/*
.conf\n</IfModule>" >
/etc/apache2/mods-available/security2.conf
#sudo touch /etc/apache2/mods-available/security2.load
echo -e "LoadFile libxml2.so.2\nLoadModule security2_module
/usr/lib/apache2/modules/mod_security2.so" >
/etc/apache2/mods-available/security2.load
sudo mkdir -p /etc/modsecurity/
sudo cp modsecurity.conf-recommended unicode.mapping /etc/modsecurity/
sudo mv /etc/modsecurity/modsecurity.conf{-recommended,}
Enable the ModSecurity module:
sudo a2enmod security2
sudo service apache2 restart
Warning
The command below will turn on the ModSecurity engine with base rules for all sites on the given host. Verify that the sites are not blocked by the rules due to the false positives. Test this before deploying to production.
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/'
/etc/modsecurity/modsecurity.conf
Download and install the OWASP core rule set:
cd /tmp
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo cp -r owasp-modsecurity-crs/* */etc/modsecurity/
sudo cp /tmp/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example
/etc/modsecurity/modsecurity_crs_10_setup.conf
sudo sed -i '$iIncludeOptional "/etc/modsecurity/activated_rules/*.conf"'
/etc/apache2/mods-available/security2.conf
Enable the rules:
Option 1: Enable only the rules for the SQL injection attack:
sudo ln -s
/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
Option 2: Enable all base rules:
sudo ls /etc/modsecurity/base_rules | xargs -I {} sudo ln -s
/etc/modsecurity/base_rules/{} /etc/modsecurity/activated_rules/{}
Note
Optional rules customization for Zabbix and Horizon is necessary because
otherwise ModSecurity can block access. Add the additional file
/etc/modsecurity/horizon.conf
with the following content:
<LocationMatch "/horizon/">
SecRuleRemoveById 981318
</LocationMatch>
<LocationMatch "/zabbix/">
SecRuleRemoveById 981318
</LocationMatch>